The alert was posted along with an apology on the League of
Legends official blog by Riot co-founders Marc Merrill and Brandon
Beck. It notes that usernames, email addresses, salted password
hashes, and some first and last names were accessed. "This means
that the password files are unreadable, but players with easily
guessable passwords are vulnerable to account theft," explains the post.

"Additionally, we are investigating that approximately 120,000
transaction records from 2011 that contained hashed and salted
credit card numbers have been accessed. The payment system involved
with these records hasn't been used since July of 2011, and this
type of payment card information hasn't been collected in any Riot
systems since then. We are taking appropriate action to notify and
safeguard affected players. We will be contacting these players via
the email addresses currently associated with their accounts to
alert them. Our investigation is ongoing and we will take all
necessary steps to protect players."

The blog post states that the data grab involving the usernames,
email addresses, salted password hashes, and names was limited to a
portion of North American account holders and that Riot will
therefore be enforcing a password change on its all of its North
American players.

Players affected by the accessing of payment records will be
contacted by the email associated with their account (so if you're
a LoL player, now would be an excellent time to make sure your
account information is up to date as well as swapping out your old
password for a new one). Wired.co.uk contacted Riot to check
whether players outside North America were affected by the
transaction record hack; a company spokesperson said not.

The company then took the opportunity to announce that it is
working on additional security features for its services including
email verification and two-step authentication which is where
changes to an account will require the player to input a code sent
to another device, usually a mobile phone associated with the
account.

Given that email verification processes are now pretty standard
for registration with online services it seems odd that Riot did
not have one in place already. Wired.co.uk contacted the developer
regarding the current process (we can't check ourselves as the
service is unavailable) and a spokesperson confirmed that at the
moment all a player needs to do is enter their details on the
registration page and an account is created immediately without
checking the email provided is a valid one.